It's pretty clear from the context and implications that when European legislators wrote "public authority" into the General Data Protection Regulation they didn't mean the same as the drafters of the UK's Freedom of Information Acts. "Public authority" isn't defined in the Regulation and I've not been able to find it in any other European law, so I'm grateful to David Erdos for pointing out the case where the concept and reason for it, if not the actual phrase, were discussed.

I was recently asked how the GDPR's Right to Erasure would affect backups and archives. However that right, created by Article 17 of the GDPR, only arises when a data controller no longer has a legal basis for processing personal data. Provided an organisation is implementing an appropriate backup and archiving strategy, that shouldn't happen.

The Article 29 Working Party have conducted a brief consultation on draft guidance on Automated Processing that, surprisingly, reverses all previous legal interpretations I've found. GDPR Article 22 is one of several that begin &qu...

Although the Information Commissioner's "Twelve Steps to Prepare" is an excellent guide to what organisations need to do in the eighteen months before the General Data Protection Regulation becomes UK law in May 2018, following them in order from 1 to 12 may not be the best approach. Some of the steps depend on the results of others, some are likely to take ...

[Updated to include an example where multiple justifications are appropriate]One of the key steps in preparing for the General Data Protection Regulation is to know why you are processing each set of personal data, and which of the six legal justifications applies: consent, contract, legal obligation, vital interest, public interest or legitimate interest. The Regulation signif...

[UPDATE: the Irish GDPR coalition have a nice infographic on information lifecycles under the GDPR]Anyone who has looked at an information security standard is likely to be familiar with the idea of an Information Asset Register. These cover the What and Where of information that an organisation relies on: what information do we hold, and where is it kept.Many of the requiremen...

The Article 29 Working Party's draft guidance on Breach Notification under the General Data Protection Regulation (GDPR) provides welcome recognition of the need to do incident response and mitigation in parallel with any breach notification rather than, as I've been warning since 2012, giving priority to notification. Now the Working Party is explicit that "immedi...